With tokens there are better things that could be done too, but evidently
Citi has a very simple protocol.
Glenn Everhart
(everhart at gce.com home)
-----Original Message-----
From: dpw [mailto:dainw at fsr.com]
Sent: Monday, July 10, 2006 5:50 PM
To: 'Web Security'
Subject: RE: [WEB SECURITY] Phishing attacks circumventing two-factor
auth
For any mission critical applications, lately I have been using a
server-side generated "magic hash" key that I generate when the form is
loaded, and which gets posted along with my forms.
When the application requests posted information from the form I compare the
key I get with another generated key and authenticate that the form that
posted back to the application is part of the application, and approved to
post. For real sensitive apps, I introduce a time-specific factor into the
form's key, so that it must be posted within 5 minutes of loading or the key
is no longer valid.
This is just stupid simple to do, and I can't imagine these folks not having
something way more advanced in place for their application...
Dain White
Senior Developer / Webmaster
First Step Internet - www.fsr.com
208-882-8869 ext. 440
-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah at whitehatsec.com]
Sent: Monday, July 10, 2006 2:13 PM
To: Web Security
Subject: [WEB SECURITY] Phishing attacks circumventing two-factor auth
Brian Krebs (washingtonpost.com) has a good write up about a recent
phishing attack specifically designed circumvent two-factor
authentication. The technique used a fake web page acting as a man-in-
the-middle between the user and the real website. A simple hack
proving a good point. How can a user defend themselves with any kind
of solution if they can't tell whether or not a website is real?
Citibank Phish Spoofs 2-Factor Authentication
http://blog.washingtonpost.com/securityfix/2006/07/
citibank_phish_spoofs_2factor_1.html
"Security experts have long touted the need for financial Web sites
to move beyond mere passwords and implement so-called "two-factor
authentication" -- the second factor being something the user has in
their physical possession like an access card -- as the answer to
protecting customers from phishing attacks that use phony e-mails and
bogus Web sites to trick users into forking over their personal and
financial data."
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
**********************************************************************
This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you
**********************************************************************
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/http://www.webappsec.org/rss/websecurity.rss [RSS Feed]